Security Alerts: OpenBSD Non-exploit and More

11/13/2000

Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. This week there was a wide range of security-related announcements, from an OpenBSD non-exploit to problems with Netscape and system backup software.

OpenBSD non-exploit

A forged announcement of a vulnerability in OpenBSD was
published this week. The vulnerability, in short, was: "OpenBSD is a
vulnerable operating system because it runs on a computer which can be
physically accessed by an intruder." The forger made it appear as though it was from
cripto, who said about the message, "We do not know the individual who posted this 'OpenBSD exploit' and had no knowledge of it until we saw it on Bugtraq along with the rest of the world."

Red Hat Linux restore

Red Hat announced that the restore program can be exploited by a local
user to become root. It seems that the RSH environment variable can
be set to any executable program you want and then will execute that
program as root. The latest versions no longer require a setuid root
bit, so upgrade now.

Star Office 5.2

Star Office 5.2 has a problem that can allow users read and write
access to files of users who run Star Office. When Star Office
starts up it creates a /tmp/soffice.tmp directory and sets the
permissions to 0777. It will also on other occasions set these same
permissions while it is running. It is possible to create a symbolic
link named /tmp/soffice.tmp to a file or directory owned by a Star
Office user and have the permissions on the file changed to 0777 when
the user runs Star Office. A suggested fix for this problem is to set
the $TMP environment variable to a temporary directory that only the
Star Office user can write to, such as something like $HOME/tmp. This will cause Star Office to use the specified location ($TMP), for its temporary files.

New FreeBSD security officer

Warner Losh is resigning as FreeBSD's security
officer. He is going to be succeeded by Kris Kennaway, who has been
working as Warner's deputy in charge of the ports system for the last ten
months.

Pine Version 4.21

Pine 4.21 and earlier have a buffer overflow that can allow a remote
user to execute arbitrary code by sending a carefully crafted e-mail
message. Upgrading to Pine 4.30 will fix this problem.

Red Hat usermode packages

Red Hat's usermode package has some potential format-string problems.
The usermode package allows you to control access to programs
which are to be executed as root. If one of the programs that
usermode is controlling access for uses the LANG or LC_ALL environment
variables, it is possible to exploit them with a format-string attack.
Red Hat has updated packages available.

Bind DOS

The bind name server can be crashed by using an authorized compressed
zone transfer. The default installation of bind does not support
compressed zone transfers, and a request for this can crash bind. From
what I have seen, this bug seems to affect up to bind 8.2.2 patch level 6. ISC recommends that everyone upgrade to 8.2.2 patch level 7. This will fix several other denial of service problems with bind.

vlock vulnerability

The program vlock is designed to lock virtual consoles. It was reported that the one that comes with Red Hat Linux 7.0 can be bypassed if a regular user locks the console. According to the report, the crack is simple: When vlock asks for the password, hold down the enter key until you see the message "broken pipe." The consoles will then be unlocked.

I was unable to duplicate this on my Red Hat Linux 7.0 machine. I placed a weight on my enter key and let it go for about five minutes without getting a broken pipe message. Perhaps it takes longer or there is some other factor at work. I should point out that vlock does not prevent someone from rebooting or powering off your machine and booting from a CD or floppy. If you can touch the machine you can do almost anything to it, and because of this, a console locker is of only limited use.

FreeBSD xfce port display

The xfce window manager under FreeBSD during its startup uses xhost to
allow local users to connect to the local xserver. On a multiuser
system this would be a very bad thing. It would allow a malicious
user to watch everything that the local user was doing, including
passwords typed in. The FreeBSD security team suggests that you
upgrade the package or remove 'xhost +$HOSTNAME' from
/usr/X11R6/etc/xfce/xinitrc and /usr/X11R6/etc/xfce/xinitrc.mwm.

mail

A carefully crafted e-mail that is replied to with the mail program (a
simple console-based mail program) can grant a malicious user
privileges equal to those of the user replying to the mail. The e-mail
message can even be crafted by using a series of ^h characters so that
the victim can not see the dangerous text, and can then be tricked
into replying to it. At this time I do not know of a fix for this.
So if you use mail for your mail, be careful what you reply to.

Netscape

Netscape versions prior to 4.76 have a client-side buffer exploit.
HTML can be created that will cause a buffer overflow and execute
arbitrary code on the client's machine. The fix is to upgrade your
version of Netscape to one that is newer than 4.76.